On Tue, 23 Jan 2001, dprocc wrote:
Are these the definitions you mean? #define ICMP_ECHOREPLY 0 /* Echo Reply */ #define ICMP_DEST_UNREACH 3 /* Destination Unreachable */ #define ICMP_SOURCE_QUENCH 4 /* Source Quench */ #define ICMP_REDIRECT 5 /* Redirect (change route) */ #define ICMP_ECHO 8 /* Echo Request */
and so forth
I took this from the kernel source tree in: /usr/data/src/linux-2.2.13.SuSE/include/net/icmp.h
I've got a good description of the basic ICMP types in Ziegler's book "Linux Firewalls", but I haven't found a definition of the message sub-types. It's probably in the Comer books, by my copy is in storage at the moment. It's probably in an RFC, and I have all of them loaded on my system, but I don't know which number is the most recent index. I haven't had any luck fishing. (Wouldn't it be nice if the kind folks at SuSE included a link in that RPM called INDEX, pointing to the most recent index/status RFC.) 'man ipchains' mentioned getting a list via 'ipchains -h icmp', which returned the following, in part: destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff So now I got the names, I just need the definitions!
My understanding at this point is that ICMP destination unreachable (port unreachable) is essentially the difference between -j DENY and -j REJECT. A DENY'd packet is just dropped on the floor, while a REJECTed packet returns ICMP port unreachable. Somebody please tell me if I'm on the right track here! So I'm confused when it appears to me that SuSEfirewall is dropping all outgoing ICMP 3's except 'fragmentation needed' and 'communication prohibited'. So there would be no external difference between a DENY and a REJECT, right?
I just posted a similar question about these DENYs to the list, so sorry about the duplication. I am very interested to hear what the Destination Unreachable packets do for the ISP and for attackers.
A portscanner will get NO response, and will have to wait for a timeout, if packets are dropped, but will get an immediate ICMP destination unreachable if they are REJECTed. Steve Gibson, on his Shields Up! site (www.grc.com - publicly available portscanner) seems to think the stealth approach of no response is better protection. On the other hand, I'd rather be polite with those hosts that I'm intending to communicate with. FURTHER RESEARCH: Still trying to understand what's going on under the covers as I send mail, I ran tcpdump as I sent an e-mail, then viewed the resulting file with ethereal. I'm finding this to be a real educational tool! Ethereal maps out and interprets all the bits of each packet, so I'm learning bunches about the protocols. I found out that the ICMP destination unreachable was in response to my ISP's mail relay host attempting to connect to my ident server. This sounds like a reasonable behavior. But I'm not running an ident server, because I'd rather give out as little information as possible. I'm now thinking that it's time for me to graduate to a 2.4 kernel and iptables. I recently read something about 'stateful' rules in iptables, so I could conceivably have a default DENY for ident, yet open up a temporary ACCEPT for a specific IP address when I see an outgoing TCP SYN towards that IP address's mail (or dns) server. Kewl. Has anybody successfully upgraded SuSE 6.4 to kernel 2.4? Or would I be better off starting with a fresh SuSE 7.0 system? -- Rick Green